[lockfile-stats] Lockfile Statistics Analysis — 2026-06-23 (250 lockfiles, 29.46 MB)

[github-actions[bot]]

Lockfile Statistics Analysis — 2026-06-23

Aggregate analysis of all compiled .github/workflows/*.lock.yml files. Single-script compact-JSON methodology; reasoning derived from a 4.8 KB summary, not raw file reads.

Executive summary

Metric	Value	Δ vs 2026-06-22
Lockfiles analyzed	250	+1
Malformed / skipped	0	—
Total size	29.46 MB (29,460,319 B)	+169.6 KB
Avg / median size	117.8 KB / 117.2 KB	+208 B / +321 B
Min / max size	79.9 KB / 177.1 KB	—
Total jobs / steps	2,006 / 28,550	+7 / +107
Total embedded scripts	12,976	+55

A single new workflow was added since yesterday (workflow_dispatch-only trigger, claude engine), accounting for the across-the-board increments.

File size distribution

Bucket	Count
100–250 KB	239
50–100 KB	11

Largest & smallest lockfiles

Largest: smoke-copilot-aoai-entra (177.1 KB), smoke-copilot-aoai-apikey (176.8 KB), smoke-copilot (176.2 KB), smoke-claude (172.6 KB), smoke-copilot-arm (164.3 KB), mcp-inspector (150.1 KB), deep-report (148.8 KB).

Smallest: test-workflow (79.9 KB), example-permissions-warning (80.6 KB), firewall (81.8 KB), codex-github-remote-mcp-test (81.9 KB), hippo-embed (88.9 KB).

The five smoke-* matrix workflows dominate the top end — broad engine/auth coverage inflates compiled size.

Trigger analysis

Trigger	Count
workflow_dispatch	242
schedule	167
pull_request	33
issues	4
issue_comment	2
push	2
workflow_run / discussion / discussion_comment / pull_request_review_comment	1 each

Top combinations: schedule+workflow_dispatch (163), workflow_dispatch only (49), pull_request+workflow_dispatch (26). 97% of workflows expose manual dispatch; scheduled automation is the dominant pattern (167 of 250).

Cron cadence skews to once-daily; most frequent slots appear twice (e.g. 49 14 * * 1-5, 23 11 * * *). A handful run every 4–6 h (*/4, */6) and one hourly (23 * * * *).

Safe outputs analysis

Safe-output type and discussion-category counters returned empty this run — the compiled lock format does not expose these as plain-text tokens the analyzer keys on (a known limitation of the text-heuristic pass, not an absence of safe outputs). Flagged below under recommendations.

Structural characteristics

Metric	Min	Avg	Max
Jobs / workflow	5	8.02	12 (firewall-escape)
Steps / workflow	77	114.2	153 (smoke-copilot)

Job-level timeout distribution: 31–60 min (280), 16–30 min (219), 6–15 min (120), ≤5 min (16), >60 min (2).

Permission patterns

All 250 workflows compile to an empty top-level permissions: {} block (least-privilege default); effective grants are scoped per-job and were not surfaced as read/write tokens in this pass.

Tool & MCP patterns

Engine	Workflows
copilot	156
claude	57
pi	19
codex	14
antigravity / crush / gemini / opencode	1 each

MCP server references (total across lockfiles): github 5,244 · playwright 126 · sentry 96 · grafana 28 · ruflo 16 · arxiv 6 · deepwiki 6.

GitHub MCP tooling is near-universal: ~30 distinct github::* read tools each appear in 114 workflows (e.g. get_pull_request, list_discussions, issue_read), confirming a standardized read-only GitHub toolset baseline.

Interesting findings

1. One-workflow growth, fully attributed. Every aggregate delta (jobs +7, steps +107, scripts +55, bytes +169.6 KB) traces to a single new claude-engine, dispatch-only workflow — clean, expected churn.
2. Copilot is the default engine (62%) at 156/250, with claude (57) a distant second; six other engines appear ≤19 times combined.
3. Smoke tests are the heavyweights. The 5 smoke-* workflows occupy the entire >164 KB tier due to engine/auth matrix expansion.
4. Manual + scheduled is the canonical shape — schedule+workflow_dispatch covers 163 workflows (65%); pure event-driven (pull_request-only, issues-only) is rare.
5. Uniform GitHub read surface. ~30 github::* read tools each present in exactly 114 workflows points to a shared compiled toolset template rather than per-workflow tuning.

Historical trends (34-day window, 2026-05-20 → 2026-06-23)

Steady, near-monotonic growth. Lockfile count and total bytes both rising; structural averages (8 jobs, ~114 steps/workflow) are stable, indicating new workflows match the established template rather than introducing new shapes. Day-over-day change remains small (≤1 workflow), consistent with incremental authoring.

Recommendations

1. Surface safe-output & permission metrics. The text-heuristic pass returns empty for safe-output types, discussion categories, and per-resource permissions on compiled lock files. Bump the analyzer to lockfile_stats_v2.py with a structured walk of the compiled job/step bodies to recover these — they are currently blind spots.
2. Audit smoke-test size growth. The smoke-* matrix drives the largest files and steepest byte growth; confirm matrix expansion is intentional as engines are added.
3. Review high-frequency crons. A few */4/*/6-hour and hourly schedules are the main compute drivers among 167 scheduled workflows — worth a cost check.

---

Methodology: single-script compact JSON analysis. Parser ran once (lockfile_stats_v1.py, cached), emitting a 4.8 KB summary; all figures derived from that summary and the prior-day history snapshot. yaml module unavailable in-runtime — structural fields computed via the script's fallback parser. 0 malformed files.

References: §28056398083

Generated by 📊 Lockfile Statistics Analysis Agent · 78.2 AIC · ⌖ 31.4 AIC · ⊞ 5K · ◷

• expires on Jun 24, 2026, 1:00 PM UTC-08:00